[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH v6] altp2m: Introduce external-only and limited use-cases



On Wed, Apr 5, 2017 at 9:04 AM, George Dunlap <george.dunlap@xxxxxxxxxx> wrote:
> On Tue, Apr 4, 2017 at 4:24 PM, Tamas K Lengyel
> <tamas.lengyel@xxxxxxxxxxxx> wrote:
>> Currently setting altp2mhvm=1 in the domain configuration allows access to 
>> the
>> altp2m interface for both in-guest and external privileged tools. This poses
>> a problem for use-cases where only external access should be allowed, 
>> requiring
>> the user to compile Xen with XSM enabled to be able to appropriately restrict
>> access.
>>
>> In this patch we deprecate the altp2mhvm domain configuration option and
>> introduce the altp2m option, which allows specifying if by default the altp2m
>> interface should be external-only or limited. The information is stored in
>> HVM_PARAM_ALTP2M which we now define with specific XEN_ALTP2M_* modes.
>> If external mode is selected, the XSM check is shifted to use XSM_DM_PRIV
>> type check, thus restricting access to the interface by the guest itself. 
>> Note
>> that we keep the default XSM policy untouched. Users of XSM who wish to 
>> enforce
>> external mode for altp2m can do so by adjusting their XSM policy directly,
>> as this domain config option does not override an active XSM policy.
>>
>> Also, as part of this patch we adjust the hvmop handler to require
>> HVM_PARAM_ALTP2M to be of a type other then disabled for all ops. This has 
>> been
>> previously only required for get/set altp2m domain state, all other options
>> were gated on altp2m_enabled. Since altp2m_enabled only gets set during set
>> altp2m domain state, this change introduces no new requirements to the other
>> ops but makes it more clear that it is required for all ops.
>>
>> Signed-off-by: Tamas K Lengyel <tamas.lengyel@xxxxxxxxxxxx>
>> Signed-off-by: Sergej Proskurin <proskurin@xxxxxxxxxxxxx>
>> Acked-by: Wei Liu <wei.liu2@xxxxxxxxxx>
>> ---
>> Cc: Ian Jackson <ian.jackson@xxxxxxxxxxxxx>
>> Cc: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
>> Cc: Jan Beulich <jbeulich@xxxxxxxx>
>> Cc: Daniel De Graaf <dgdegra@xxxxxxxxxxxxx>
>>
>> v5: Add "limited" mode where the guest only has access to enable/disable
>>     VMFUNC and #VE features.
>>
>> v6: Check mode when XSM is enabled so that both the mode and the XSM policy
>>     has to allow the altp2m operation to succeed. Makes limited mode 
>> available
>>     even when XSM is enabled.
>> ---
>>  docs/man/xl.cfg.pod.5.in        | 41 
>> ++++++++++++++++++++++++++++++++++++++++-
>>  tools/libxl/libxl_create.c      |  6 ++++--
>>  tools/libxl/libxl_dom.c         | 18 ++++++++++++++++--
>>  tools/libxl/libxl_types.idl     | 14 ++++++++++++++
>>  tools/xl/xl_parse.c             | 20 +++++++++++++++++++-
>>  xen/arch/x86/hvm/hvm.c          | 22 ++++++++++++----------
>>  xen/include/public/hvm/params.h | 12 +++++++++++-
>>  xen/include/xsm/dummy.h         | 23 ++++++++++++++++++++---
>>  xen/include/xsm/xsm.h           |  6 +++---
>>  xen/xsm/flask/hooks.c           | 21 ++++++++++++++++++++-
>>  10 files changed, 159 insertions(+), 24 deletions(-)
>>
>> diff --git a/docs/man/xl.cfg.pod.5.in b/docs/man/xl.cfg.pod.5.in
>> index 206d33eb3f..616dc093b0 100644
>> --- a/docs/man/xl.cfg.pod.5.in
>> +++ b/docs/man/xl.cfg.pod.5.in
>> @@ -1319,6 +1319,41 @@ enabled by default and you should usually omit it. It 
>> may be necessary
>>  to disable the HPET in order to improve compatibility with guest
>>  Operating Systems (X86 only)
>>
>> +=item B<altp2m=MODE>
>> +
>> +Specifies access mode to the alternate-p2m capability. Alternate-p2m allows 
>> a
>> +guest to manage multiple p2m guest physical "memory views" (as opposed to a
>> +single p2m). This option is disabled by default and is available to x86 hvm
>> +domains. You may want this option if you want to access-control/isolate
>> +access to specific guest physical memory pages accessed by the guest, e.g. 
>> for
>> +domain memory introspection or for isolation/access-control of memory 
>> between
>> +components within a single guest domain.
>> +
>> +The valid values are as follows:
>> +
>> +=over 4
>> +
>> +=item B<"disabled">
>> +
>> +Altp2m is disabled for the domain (default).
>> +
>> +=item B<"mixed">
>> +
>> +The mixed mode allows access to the altp2m interface for both in-guest
>> +and external tools as well.
>> +
>> +=item B<"external">
>> +
>> +Enables access to the alternate-p2m capability for hvm guests only
>> +by external privileged tools.
>> +
>> +=item B<"limited">
>> +
>> +Enables limited access to the alternate-p2m capability for hvm guests only,
>> +ie. giving the guest access only to enable/disable the VMFUNC and #VE 
>> features.
>
> So just trying to understand the options here... is it he case that in
> all non-"disabled" modes dom0 has access to all altp2m functionality?

Yes.

> And so the various "enabled" modes are varying levels of access to
> guest functionality:
>
> - "external": No guest functionality
> - "limited": Guest can call HVMOP_altp2m_vcpu_enable_notify only
> - "mixed": Guest has access to all altp2m functionality
>
> If so, I think the documentation would be clearer like this:
>
> "mixed"
>
> Both external domains and the guest itself have full access to altp2m
> functionality
>
> "limited"
>
> External domains have access to full altp2m functionality; guest has
> access only to HVMOP_altp2m_vcpu_enable_notify (ability to enable
> VMFUNC and #VE features).
>
> "external"
>
> External domains have access to full altp2m functionality; guest has
> no access to any altp2m functionality.

Sounds good to me.

> Out of curiosity, what's the use case of the "mixed" mode?

It's not entirely clear but that has been the mode that it was introduced with.

Tamas

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
https://lists.xen.org/xen-devel

 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.